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APPARATUS AND METHOD FOR AUTHENTICATING A USER WHEN 
ACCESSING TO MULTIMEDIA SERVICES 

FIELD OF THE INVENTION 

[0001] The present invention relates to a simplified 
procedure for authenticating a user accessing to a Muftimedia 
network through an Access network where the user had been 
already authenticated. 

BACKGROUND 

[0002] Many of presently existing mobile networks, as well 
as possible future networks being defined by standardisation 
bodies, require end-users and user-agents to authenticate 
themselves when accessing a network and, rather, when 
accessing services associated to the network. In this 
respect, GSM, GPRS, Wireless Local Area Network (WLAN) and 
Multimedia (IMS) domains, as defined by 3 GPP and 3GPP2 
standards, they all require user's equipment or terminals 
arranged to run an authentication procedure specific for each 
particular technological domain before granting users or 
user-agents the access to said domains. In particular, the 
technological domains cited above, as well as other emerging 
technological domains, require different security levels that 
complicate more the access throughout different technological 
domains. This access throughout implies extra security that 
is not always needed and, as a consequence, extra processing 
and signalling capabilities as well as extra complexity in 
the user's equipment or terminals. 

[0003] Currently, the authentication procedure in a 3 GPP 
Multimedia domain is carried out as described in 3G TS 33.203 
standard and depicted in Fig. 1 in terms of a Session 
Initiation Protocol (SIP) based signalling flow. As Fig. 1 
illustrates and the referred technical specifications 
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describe, Multimedia authentication shall be carried out 
always when a user is registering in the Multimedia domain, 
what is typically started by sending a SIP Register message 
for a given private and public identity. 

5 [0004] An initial condition assumed before starting the flow 
cited above is that an end-user must have a data connection 
open before accessing the Multimedia domain. This connection 
may be either a GPRS connection in terms of having a PDP 
context activated, or a WLAN connection in terms of having 

10 established a data connection as specified by the IEEE 802.11 
standards, or another Access network providing the user side 
with a data connection. In this scenario, an end-user or a 
user-agent *~" have been already authenticated by the access 
network, whether GPRS or WLAN or another, in order to 

15 establish such data connection and before sending a SIP 
Register to the Multimedia domain. 

[0005] In particular, both currently used access networks, 
namely GPRS and WLAN, are offering respective authentication 
mechanism, SIM/USIM-AKA for GPRS and EAP-SIM/AKA for WLAN, 

20 whereas the Multimedia domain currently makes use of an 
authentication mechanism offering a similar level of security 
as the above access networks, the so-called USIM-AKA, which 
is carried out when the SIP Register message reaches a 
Serving Call Status Control Function (S-CSCF) entity as shown 

25 in Fig. 1. in this respect, Fig. 2 illustrates the sequence 
of actions followed to carry out an EAP AKA authentication 
for a user having accessed a WLAN network wherein RADIUS and 
MAP seems to be the most probable protocol alternatives 
though DIAMETER could also be used instead of RADIUS or MAP. 

30 [0006] At present, a user wanting to get access to the 
Multimedia domain requires a previous establishment of a data 
connection, what is frequently carried out through an access 
network such as GPRS or WLAN and, consequently, the user has 
been authenticated firstly with an EAP-SIM/AKA for a WLAN 
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access network, and further the user should be authenticated 
secondly with a USIM-AKA when registering into the Multimedia 
domain . 

[0007] One may conclude that at present there is no 
5 authentication mechanism carrying out a cross-domain 
authentication for a given user between an access network 
such as GPRS or WLAN and a . SIP-based Multimedia dofhain. In 
other words, there is no existing service or device that is 
able to administer authentication data on behalf of a user or 
10 a SIP user-agent and relieve said user or SIP user-agent from 
having to perform authentication operations in the Multimedia 
domain once an authentication has already taken place in the 
access network where the user is accessing through, said 
access network being likely GPRS or WLAN. 

15 [0008] In this situation, the authentication for Multimedia 
domain as described in 3G TS 33.203 and illustrated in Fig. 1 
adds extra signalling in the radio path that, under some 
scenarios, might be unnecessary. Firstly, after a SIP 
Register is received by the S-SCSF, the S-SCSF typically 

20 sends an Authentication Challenge message to the SIP user- 
agent. If this operation is successful, then the S-CSCF will 
periodically send an Authentication-Vector-request to the SIP 
user-agent that in turn must respond with an Authentication- 
Vector-response . Both of these messages add extra load on the 

25 multimedia domain as well as longer registration times. That 
is, SIP user-agents should process and respond to both the 
Authentication-Challenge and Authentication-Vector-request . 
These messages require extra processing by the SIP user-agent 
which means that the SIP user-agent has to make use of power 

30 for this process rather than using as much power as possible 
for Multimedia services that are likely of a high-power 
consumption nature, and bearing in mind the limited power of 
batteries . 
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[0009] Thereby, the present invention is aimed to provide an 
inter- domain authentication mechanism carrying out a cross- 
domain authentication for a given user between an access 
network domain and a Multimedia domain, this inter-domain 
5 authentication mechanism being simpler than the currently 
existing one, and applicable where a user authentication has 
been carried out by the access network, 

SUMMARY OF THE INVENTION 

[0010] The above aim is accomplished in accordance with the 

10 present invention by the provision of the device of claim 1, 
the user's equipment of claim 10/ and the method of claim 15, 
all arranged for re-using authentication data between 
different networks or between different technological 
domains, and with help from the serving entity of claim 23 in 

15 charge of authenticating the user in the Multimedia domain 
and from the Proxy entity of claim 29 and the interrogating 
entity of claim 32, both being entities of a Multimedia 
domain according to 3 GPP and 3GPP2 standards. Therefore, 
there is a new feature provided in accordance with the 

20 invention, and referred to hereinafter as u Implicit 
Authentication for Multimedia domain", which may be 
implemented as a dedicated Multimedia Authentication device 
in close co-operation with a subscriber server, or be fully 
integrated in said subscriber server. Said subscriber server 

25 being a subscriber database involved during the subscriber 
authentication, for example a Home Subscriber Server (HSS) or 
an Authentication- Authorisation-Accounting (AAA) server, and 
the Multimedia Authentication device holding the necessary 
logic and components to enable the re-use of authentication 

30 data between an access network such as a Wireless Local Area 
Network (WLAN) , a General Packet Radio System (GPRS) network, 
a Universal Mobile Telecommunication System (UMTS) , or a Code 
Division Multiple Access (CDMA 2000) network, and said 
Multimedia domain. 
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[0011] The device, which in accordance with the invention is 

useful for Multimedia authentication of a user accessing a 

Multimedia domain through an access network, is arranged for 

use in, or in co-operation with, a subscriber server of the 

5 access network holding authentication data for the user and 

accessible to the Multimedia domain. Said device comprises 

■ 

means for deciding that an implicit authentication between 
the user or, rather, between the user's equipment and the 
Multimedia domain can take place, and means for instructing a 
10 serving entity in charge of authenticating the user in the 
Multimedia domain that an implicit authentication can take 
place. The use of this device thus skipping the need for an 
explicit authentication. 

[0012] In this device, the means for deciding that an 
15 implicit authentication can take place preferably includes 
means for determining the potential security of the 
signalling path to access the Multimedia domain through said 
access network. For this purpose, the device may comprise as 
well provisioning and configuration data means arranged to 
20 assess the security of different signaling paths. Moreover, 
the means for deciding that an implicit authentication can 
take place may include means for processing a proposal of 
implicit authentication originated from the user's equipment. 

[0013] The device is advantageously arranged to determine 
25 whether an implicit authentication is just a proposal to the 
user's equipment, which may force an explicit authentication, 
or it is a final decision taken by the network, so that no 
explicit authentication can be carried out. Therefore, the 
means for instructing the serving entity that an implicit 
30 authentication can take place include means for indicating 
that the final decision is on the user's equipment and means 
for indicating that this is a final decision taken by the 
network . 
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[0014] In this respect, the device further comprises means 
for notifying the user that an implicit authentication of the 
user for accessing the Multimedia domain can by carried out 
by the network. Nevertheless, this notification means might 
5 as well reside in other entities of the Multimedia domain. 

[0015] Moreover, given that the final decision on whether or 
not to perform an implicit authentication may be* on the 
user's equipment side in accordance with the invention, the 
device further comprises means for receiving an indication 

10 originated from the user's equipment side to confirm the 
acceptance of the implicit authentication proposed by the 
network. In case of receiving such acceptance confirmation, 
the" "device" also comprises means for indicating to the serving 
entity in charge of authenticating the user in the Multimedia 

15 domain that the user's equipment has confirmed the implicit 
authentication. Still further, the device may have the means 
for providing additional authentication data to said serving 
entity, said additional authentication data including at 
least one element selected from a group of elements 

20 comprising: authentication type; access information; and 
authentication timestamp. 

[0016] Conventionally, a user's equipment is enabled to get 
access to a Multimedia domain through an access network, and 
is thus arranged to carry out a first explicit Authentication 

25 procedure with the access network, and a second explicit 
authentication procedure with a Multimedia domain. The access 
network comprises a subscriber server to hold authentication 
data for the user and, for the purpose of the present 
invention, said subscriber server is accessible to the 

30 Multimedia domain. The user's equipment, in accordance with 
the invention, comprises means for processing at least one 
notification selected from a group of notifications 
including: a notification from the Multimedia domain 
indicating that an implicit authentication for the user can 

35 be carried out; and a notification towards the Multimedia 
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domain indicating that the user's equipment proposes an 
implicit authentication to the network. 

[00171 This means may advantageously include means for 
receiving an indication from the Multimedia domain that the 
5 final decision is on the user's equipment side, which might 
force an explicit authentication, or that it is j a final 
decision taken by the network, so that no explicit 
authentication can be carried out. Especially arranged for 
the case where the final decision is on the user's side, the 

10 user's equipment further comprises means for sending towards 
the Multimedia domain an indication to confirm the acceptance 
of an implicit authentication proposed by the network. 
Moreover, the user's equipment "may have the means for 
providing additional authentication data towards the 

15 Multimedia domain, said additional authentication data 
including at least one element selected from a group of 
elements comprising: authentication type; access information; 
and authentication timestamp. 

[0018] There is also provided a method for authenticating a 
20 user in a Multimedia domain when the user accesses thereto 
through an access network, the method conventionally 
comprising a step of authenticating the user in the access 
network, said access network having a subscriber server with 
authentication data for the user and accessible to the 
25 Multimedia domain; and a step of registering the user into 
the Multimedia domain. 

[0019] This method, in accordance with the invention, also 
comprises : 

- a step of deciding that an implicit authentication between 
30 the user and the Multimedia domain can take place, thus 

skipping the needs for an explicit authentication; and 
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- a step of instructing a serving entity in charge of 
authenticating the user in the Multimedia domain that 
implicit authentication can take place. 

[0020] This method may further comprise a step of notifying 
5 from the Multimedia domain to the user's equipment that an 
implicit authentication of the user for accessing the 
Multimedia domain can by carried out. 

[0021] In this method, the step of deciding that an implicit 
authentication can take place preferably includes a step of 

10 determining the potential security of the signalling path to 
access the Multimedia domain through said access network. 
Moreover, the above step of deciding that an implicit 
authentication can take place may include as well a step of 
proposing from the user's equipment towards the Multimedia 

15 domain an implicit authentication to be carried out between 
said user's equipment and Multimedia domain. 

[0022] Also in this method, the step of instructing the 
serving entity that an implicit authentication can take place 
preferably includes a step of indicating whether the final 

20 decision is on the user's equipment, which might force an 
explicit authentication, or the final decision is taken by 
the network, so that no explicit authentication can be 
carried out. In addition, and specifically for the case where 
the final decision is on the user's side, the method may 

25 further comprise a step of confirming from the user's 
equipment the acceptance of the implicit authentication 
proposed by the network. Moreover, and aligned with the above 
step, the method may further comprise a step of indicating to 
the serving entity in charge of authenticating the user in 

30 the Multimedia domain that the user has confirmed the 
implicit authentication. 

[0023] The invention further provides for a serving entity 
in charge of authenticating a user's equipment in the 
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Multimedia domain when the user accesses thereto through an 
access network where said user had been previously- 
authenticated. This serving entity comprises , in accordance 
with the invention, means for receiving instructions from the 
5 above device indicating that an implicit authentication can 
take place; and means for notifying the user's equipment that 

0 

an implicit authentication of the user for accessing the 
Multimedia domain can by carried out by the network. 

[0024] This serving entity is advantageously arranged in 
10 such manner that the means for notifying the user that an 
implicit authentication can . by carried out by the network 
includes means for indicating to the user whether the 
implicit authentication is a final decision taken by the 
network and no explicit authentication can be carried out, or 
15 the implicit authentication is a proposal from the network 
that the user may accept or refuse by forcing ah explicit 
authentication . 

[0025] In the case that the implicit authentication is a 
proposal by the network, the serving entity advantageously 

20 comprises means for receiving an indication originated from 
the user's equipment to confirm the acceptance of such 
implicit authentication proposed by the network. Moreover, 
this serving entity preferably comprises means for receiving 
such indication that the user has confirmed the implicit 

25 authentication from the above device. 

[0026] This serving entity may advantageously comprise 
further means for checking the matching of additional 
authentication data respectively received from the above 
device and user's equipment in order to provide an extra 
30 security support. These additional authentication data 
include at least one element of a group of elements 
comprising: authentication type, access information and 
authentication times tamp. 
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[0027] The invention is further complemented with the 
provision of some other entities, such as a Proxy and an 
interrogating entity, in order to address a typical topology 
following a 3 GPP or a 3GPP2 standard. 

5 [0028] The Proxy entity, in accordance with 3 GPP and 3GPP2 
standards, is intended to act as an entry point 'into the 
Multimedia domain for users accessing thereto through an 
access network where the user had been already authenticated. 
This Proxy entity, in accordance with the invention, 
10 comprises means for processing at least one notification 
selected from a group of notifications including: 

- a notification sent towards the userr's equipment* to 
indicate that an implicit authentication of the user for 
accessing the Multimedia domain can by carried out by the 

15 ne twor k ; and 

- a notification received from the user's equipment to 
propose an implicit authentication towards the Multimedia 
domain between said user's equipment and Multimedia 
domain . 

20 [0029] This Proxy entity is also advantageously arranged so 
that the means for notifying the user that an implicit 
authentication can by carried out by the network includes 
means for indicating to the user whether the implicit 
authentication is a final decision taken by the network and 

25 no explicit authentication can be carried out, or the 
implicit authentication is a proposal from the network that 
the user may accept or refuse by forcing an explicit 
authentication, 

[0030] In the case that the implicit authentication is a 
30 proposal by the network, the Proxy entity advantageously 
comprises means for receiving an indication from the user's 
equipment accepting such implicit authentication proposed by 
the network. 
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[0031] The interrogating entity, in accordance with 3 GPP and 

3GPP2 standards, is intended to query a subscriber server in 

the Multimedia domain about a user having accessed said 

Multimedia domain through another access network. This 

5 interrogating entity has means for receiving a registration 

request from the user, and means for acknowledging such 

» 

registration towards the user and, in accordance with the 
invention, the interrogating entity also comprises means for 
transmitting an indication towards the user's equipment that 
10 an implicit authentication of the user for accessing the 
Multimedia domain can by carried out. 

[0032] The interrogating entity, in order to accomplish with 
other advantageous features provided by the invention, 
preferably comprises means for receiving an indication 

15 originated from the user's equipment to confirm acceptance of 
an implicit authentication proposed by the network, or to 
propose such implicit authentication by itself; and means for 
transmitting such confirmation of user's acceptance towards 
at least one entity selected from a group of entities 

20 comprising the above device and serving entity. 

[0033] Moreover, and also for accomplishing with other 
advantageous features provided by the invention, the 
interrogating entity further comprises means for transmitting 
towards the user's equipment an indication that the implicit 
25 authentication is a final decision taken by the network and 
no explicit authentication can be carried out. 

BRIEF DESCRIPTION OF DRAWINGS 

[0034] The features, objects and advantages of the invention 
will become apparent by reading this description in 
30 conjunction with the accompanying drawings, in which: 
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[0035] FIG. 1 shows a basic diagram of the authentication 
flow in a Multimedia domain in accordance with the 3 GPP TS 
33.203. 

[0036] FIG. 2 illustrates an overview of architectural 
5 components and signalling flow during authentication of a 
user following an EAP-AKA mechanism through a WLi^N access 
network . 

[0037] FIG. 3 shows a flow sequence describing . a currently 
preferred embodiment for re-using previous authentication of 
10 a user having access through a GPRS or UMTS network to the 
Multimedia domain where the user/ s equipment receives a 
notification in this respect and is given the possibility to 
accept or not an Implicit Authentication. 

[0038] Fig. 4 shows a flow sequence describing an 
15 alternative embodiment to the one shown in Fig. 3, where the 
user's equipment receives a notification in this respect and 
without being given the possibility to accept or not an 
Implicit Authentication, but rather being informed that such 
Implicit Authentication has taken place. 

20 [0039] Fig. 5 shows an alternative flow sequence describing 
an alternative embodiment to the ones shown in Fig. 3 and 
Fig. 4, where the user's equipment receives an invitation 
during the location procedure to further carry out an 
Implicit Authentication towards the Multimedia domain, the 

25 user thus being given the possibility to accept or not an 
Implicit Authentication. 

[0040] Fig. 6 shows an alternative flow sequence to the one 
shown in Fig. 5, where the user's equipment receives an 
invitation with a Short Message Service (SMS) to further 
30 carry out an Implicit Authentication towards the Multimedia 
domain, the user thus being given the possibility to accept 
or not an Implicit Authentication. 



WO 2005/020619 



13 



PCT/SE2003/001316 



[0041] Pig. 7 shows a flow sequence describing a currently 
preferred embodiment for re-using previous authentication of 
a user having access through a WLAN network to the Multimedia 
domain where the user's equipment receives a notification in 
5 this respect and is given the possibility to accept or not an 
Implicit Authentication. 

[0042] FIG. 8 shows a flow sequence describing^ another 
preferred embodiment for re-using previous authentication of 
a user by a CDMA 2000 network, the user accessing through a 
10 Packet Data Service network to the Multimedia domain where 
the user's equipment receives a notification in this respect 
and is given the possibility to accept or not an Implicit 
Authentication. 

[0043] FIG. 9 shows an alternative flow sequence to those 
15 presented in Fig. 5 and 6, where the user's equipment does 
not receive an invitation, with an Update Location Answer 
message or with a Short Message Service (SMS) respectively, 
to further carry out an Implicit Authentication but rather 
the user's equipment generates a proposal for an implicit 
20 authentication to the network. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

[0044] The following describes currently preferred 
embodiments of an apparatus, a user's equipment and method 
for offering a user the possibility to be illicitly 

25 authenticated by a Multimedia domain when accessing through 
an access network where the user has been already 
authenticated. The access network being preferably a Wireless 
Local Area Network (WLAN) , a General Packet Radio System 
(GPRS) network, a Global System for Mobile communications 

30 (GSM) network, a Universal Mobile Telecommunication System 
(UMTS) network, or a Code Division Multiple Access network 
(CDMA 2000) . 
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[0045] The present invention presents several aspects in 
connection with the place wherein the feature "Implicit 
Authentication for Multimedia domain" resides, which in 
particular may be carried out by an isolated device in close 
5 co-operation with a subscriber server or be carried by the 
subscriber server itself. 

[0046] Moreover, the present invention also presents several 
aspects in connection with the user's equipment, namely the 
user's terminal, or SIM, or USIM, or combinations thereof, 
10 depending on the decision degree is left on the user's side 
or on the network side. 

[0047] In- -accordance with -a first aspect of -the present 
invention, the subscriber server itself, which in particular 
may be a HSS in 3GPP or an AAA-server in 3GPP2 standards and 

15 CDMA 2000 networks, or a Multimedia Authentication device 
supporting the access to the Multimedia domain for a specific 
user determines that an explicit authentication for the 
Multimedia domain might be unnecessary based on a previous 
subscriber authentication carried out by the access network 

20 where the user is accessing through, and based on an 
assumption that a secure bearer for Multimedia signalling is 
carried out through the access network. Such secure bearer 
may be for instance a PDP context in case of GPRS being the 
access network, or a secure tunnel in case of WLAN being the 

25 access network towards the home network while carrying out 
the subscriber authentication. 

[0048] In accordance with the invention, the subscriber 
server, or the dedicated Multimedia Authentication device, 
provides to a serving entity in charge of authenticating the 
30 user, namely a Serving Call Status Control Function (S-CSCF) , 
an authentication policy indicating that an Implicit 
Authentication procedure can be performed for said user 
accessing the Multimedia domain, based on a previous bearer 
authentication through the access network. 
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[0049] Apart from authenticating a user by the network where 
the user is accessing, the 3 GPP authentication procedures 
support the authentication of the network by the user. 
Therefore, and in accordance with another aspect of the 
5 invention, the subscriber server or the dedicated Multimedia 
Authentication device can optionally indicate to the user's 

M 

equipment another authentication policy to suggest a* possible 
mutual Implicit Authentication that the user may or* may not 
accept . 

10 [0050] Thanks to the feature "Implicit Authentication for 
Multimedia domain' 7 , the amount of authentication operations 
performed either by the user or by the user's equipment, and 
by the network is reduced and, thus, a reduction of avoidable 
signalling messages in the Multimedia domain is achieved 

15 while maintaining the required security level, accomplishing 
one object of the present invention. 

[0051] The invention is applicable to different scenarios 
where a user makes use of a particular access network for 
accessing the Multimedia domain, thus resulting in different 
20 embodiments of the invention. In addition, several variations 
may be introduced from one embodiment to one another without 
substantially departing from the scope of the present 
invention . 

[0052] A first scenario turns up where a user has been 
25 authenticated by a UMTS network and is further accessing the 
Multimedia domain through a GPRS network. 

[0053] Under this scenario and in accordance with a first 
embodiment of the present invention illustrated in Fig. 3, 
there is provided a simplified mechanism for authenticating 
30 the user in the Multimedia domain wherein the user is 
notified of a possible implicit authentication. The user, or 
rather the user's equipment side (UE) , upon receiving this 
notification, may accept the implicit authentication or force 
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an explicit authentication in accordance with the applicable 
standard for the Multimedia domain as Fig. 1 illustrates. 
Moreover, this implicit authentication may apply to both 
authentication of the user by the network as well as 
5 authentication of the network by the user. Furthermore/ said 
implicit authentication might be triggered by a subscriber 
server such as the Home Subscriber Server (HSS) responsible 
for the previous authentication of the user in £he UMTS 
network, as illustrated in Fig. 3, or by a dedicated 
10 Multimedia Authentication device in co-operation with said 
subscriber server. 

[0054] Therefore, in accordance with this first embodiment 
shown in Fig. 3, an end-user or user's equipment Ts* attached 
and authenticated in UMTS and has a GPRS PDP context open. At 
15 this stage, the end-user and user-agent gain access to the 
Multimedia domain by initiating a SIP Registration procedure. 

[0055] This SIP Registration procedure comprises the sending 
of a SIP Register message from the user side (UE) towards a 
Proxy Call Status Control Function (P-CSCF) , and from this 

20 entity towards an Interrogating Call Status Control Function 
(I-CSCF) . The I-CSCF initiates a conventionally called Cx- 
Selection-Inf o procedure towards the Home Subscriber Server 
(HSS) in order to identify the Serving Call Status Control 
Function (S-CSCF) currently in charge of the user. Once such 

25 S-CSCF is identified, the I-CSCF sends a corresponding SIP 
Register message to the S-CSCF. The S-CSCF receiving such 
registration message initiates a conventionally called Cx-Put 
procedure towards the Home Subscriber Server (HSS) . 

[0056] Given that the HSS had previously participated in the 
30 GPRS access authentication of the user by exchanging a user 
profile and authentication vectors with a Serving GPRS 
Support Node (SGSN) , the HSS uses its information about the 
SGSN where the subscriber is located, in addition to other 
network topology information, to determine the potential 
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security of the signalling path for accessing the Multimedia 
domain through said access network. Thereby, in accordance 
with the invention, the HSS itself, or a dedicated Multimedia 
Authentication device, can decide an Implicit Authentication 
5 for the user. To this end, the HSS includes an indication of 
"Implicit Authentication" in the Cx- Put-response towards the 
S-CSCF . 

[0057] The decision to send this message towards the S-CSCF 
is advantageously made when the Gateway GPRS Support Node 

10 (GGSN) belongs to the same home domain as the HSS and the 
GGSN is thus considered secure and trusted. A particular 
suitable scenario is when the HSS also trusts on the SGSN 
where the subscriber is located as they both belong to a same 
network operator, for instance, and irrespective of whether 

15 the user is given or not the possibility to further refuse 
the proposed implicit authentication. 

[0058] In addition, the feature "Implicit Authentication for 
Multimedia domain" may include data provisioning and data 
configuration on subscriber basis so that when a user has 

20 this service provisioned and the user is trusted, the HSS 
itself, or a dedicated Multimedia Authentication device, can 
determine an Implicit Authentication for that user. In this 
respect and taking into account that a particular user may be 
given a plurality of user's identifiers in the Multimedia 

25 domain, the implicit authentication hereinafter referred to, 
and described under different embodiments, can apply to all 
or to specific user's identifiers in the Multimedia domain. 

[0059] Additionally, other relevant information may also be 
sent towards the S-CSCF in the Cx-Put-response message, such 
30 as authentication type, access information like for example 
IP address and contact information, authentication times tamp, 
and other significant data in order to provide an extra 
security support . 
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[0060] Accordingly with an aspect of the invention commented 
above, the user may be notified of an Implicit Authentication 
proposed by the network and intended for the user to accept 
it or not. Therefore, the S-CSCF sends to the SIP user-agent 
5 a new SIP message called U SIP 4xx Implicit Authentication " in 
the instant specification so that the SIP user-agent, if 

M 

found acceptable, disables internally the explicit Multimedia 
Authentication procedure conventionally carried out. That is, 
the SIP user-agent shall not wait, or expect to receive, 

10 either an Authentication-Challenge message or authentication 
vectors as described in 3G TS 33.203. Moreover, the SIP user- 
agent or, more generally, the user's equipment shall consider 
the network supporting the Multimedia domain as implicitly 
authenticated. On the other hand, the SIP user-agent might 

15 consider the Implicit Authentication being not acceptable, in 
which case an appropriate negative acknowledge not shown in 
any drawing is sent towards the network in order to force a 
conventional explicit authentication mechanism according to 
the above applicable standard. 

20 [0061] Still with reference to Fig. 3, once the SIP user- 
agent has accepted the Implicit Authentication, it responds 
to this message with a new SIP Register message. 

[0062] At this stage, one may be aware that thanks to the 
Implicit Authentication carried out in accordance with the 

25 invention by re-using at the Multimedia domain authentication 
data from a trusted access network, the present invention 
also provides an advantageous solution to support Single 
Sign-On (SSO) at the Multimedia domain for users who had been 
already authenticated by an access network before accessing 

30 to said Multimedia domain. 

[0063] Aligned with this advantageous solution, Fig. 3 shows 
that the SIP Register ultimately sent from the SIP user-agent 
of the user's equipment to the S-CSCF includes an indication 
of u SSO enabled" intended to indicate to the network that the 



WO 2005/020619 



19 



PCT/SE2003/001316 



Implicit Authentication is accepted. The network submits such 
SIP Register message towards the S-CSCF that in turn sends 
back a successful result U SIP 200 OK" towards the user's 
equipment. The end-user is now registered in the Multimedia 
5 domain without those extra periodic authentication processes 
conventionally occurring throughout the end-user's Multimedia 
registration . 

[0064] Generally speaking for this and also applicable for 
other embodiments further described, and provided that there 

10 is a notification from the user's equipment about an implicit 
authentication, the serving entity (S-CSCF) might check as 
well whether other relevant data, respectively included in 
the SIP" Register and in the Cx- Put-response, are coincident 
with regard to the implicit authentication and single sign-on 

15 access. Said relevant data may be, for example, an 
authentication type, access information like for example IP 
address and contact information, an authentication timestamp, 
or combinations thereof, and other significant data to 
provide an extra security support. 

20 [0065] Still under the above scenario where a user has been 
authenticated by a UMTS network and is further accessing the 
Multimedia domain through a GPRS network, and in accordance 
with a second embodiment illustrated in Fig. 4, there is 
provided a still more simplified mechanism for authenticating 

25 a user in the Multimedia domain wherein the user is just 
notified of a decision taken by the network to carry out an 
implicit authentication. Under this second embodiment, the 
user attaches the UMTS network and is authenticated therein 
with participation of the home subscriber server (HSS) , a PDP 

30 context is activated with GPRS entities (SGSN, GGSN) , and a 
SIP Register message is sent towards the Call Status Control 
Function (P-CSCF, I-CSCF, S-CSCF) entities in order to 
register into the Multimedia domain in a similar manner as 
done in the first embodiment. The difference between these 

35 first and second embodiments is that the HSS itself, or a 
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dedicated Multimedia Authentication device, makes a final 
decision to carry out an Implicit Authentication for the 
user. To this end, the HSS includes an indication "Implicit 
Authentication by the network" in the Cx- Put-response towards 
5 the S-CSCF. 

[0066] Then, after having completed a u Cx- Pull -process" 
between the S-CSCF and the HSS, and without having iFequested 
the user's acceptance, the S-CSCF notifies to the user that 
the network has performed an Implicit Authentication on its 
10 own by including an indication * Implicit Authentication by 
the network" in an specific "SIP 2xx OK" response, instead of 
using the above new W SIP 4xx" message. 

[0067] Upon reception of said "SIP 2xx OK" response with an 
indication "Implicit Authentication by the network", the SIP 

15 user-agent shall not wait, or expect to receive, either an 
Authentication-Challenge message or authentication vectors as 
described in 3G TS 33.203. Moreover, the SIP user-agent or, 
more generally, the user's equipment may consider the network 
supporting the Multimedia domain as implicitly authenticated, 

20 provided that the user's equipment is configured to carry out 
such authentication of the network. 

[0068] The end-user is now registered in the Multimedia 
domain without those extra periodic authentication processes 
conventionally occurring throughout the end-user's Multimedia 
25 registration, and still with a simpler mechanism than the one 
described in the first embodiment. 

[0069] A second scenario turns up where a user has been 
authenticated by a UMTS network following a GSM attach and 
location updating procedure, and is further accessing a 
30 Multimedia domain through a GPRS network. In this respect and 
for the sake of clarity, the Home Subscriber Server (HSS) of 
a UMTS network comprises all the basic functionality and 
behaves as a traditional Home Location Register (HLR) of a 
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GSM network, plus all the functionality required for acting 
as a subscriber server in a Multimedia domain. Nevertheless , 
provided that the traditional HLR functionality resides in a 
different entity than the subscriber server for the 
5 Multimedia domain, an additional interface between both 
entities, namely the GSM HLR and the subscriber server for 
the Multimedia domain, is used to share user authentication 
data. 

[0070] A still third embodiment under the above second 
10 scenario is illustrated in Fig. 5 wherein a new field is 
returned to the SIP user-agent of the user's equipment during 
GSM attach and location updating procedures. Therefore, the 
subscriber server (HSS) of the Multimedia domain includes an 
indication of w Implicit Authentication" in the GSM operation 
15 u Insert Subscriber Data" towards the Serving GPRS Support 
Node (SGSN) in the access network. Then, the SGSN also 
includes this indication of w Implicit Authentication" in the 
GSM operation "Update Location Answer" towards the SIP user- 
agent . 

20 [0071] This indication can apply to all or specific user's 
identifiers in the Multimedia domain, and is understood by 
the user's equipment (UE) as an implicit invitation to enable 
a Single Sign-On (SSO) access to the Multimedia domain that 
the user's equipment may or may not accept. Provided that the 

25 implicit authentication is acceptable for the end-user (UE) 
since no extra security is required, a SIP Register message 
is sent to the Multimedia domain (P-CSCF, I-CSCF) , the SIP 
Register message including an indication of xx SSO enabled" 
intended to indicate to the network that the Implicit 

30 Authentication is accepted. 

[0072] Upon reception of such SIP Register message in an 
Interrogating Call Status Control Function (I-CSCF) entity, 
the indication of "SSO enabled" is incorporated in a new 
field of a "Cx- Query" message included in a so-called w Cx- 
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Selection-Info" procedure held with the Multimedia domain 
subscriber server (HSS) . At this stage, the feature "Implicit 
Authentication for Multimedia domain" in the HSS itself, or 
in a dedicated Multimedia Authentication device, processes 
5 the indication of "SSO enabled" in order to further provide 
authentication data for the user upon request. 

[0073] The indication of w SSO enabled" is also incorporated 
in the SIP Register sent from the I-CSCF towards the Serving 
Call Status Control Function (S-CSCF) entity presently 

10 selected for serving the user. As in previous embodiments, 
the present embodiment illustrated in Fig. 5 also shows a 
"Cx-Put" operation carried out from the S-CSCF to the HSS. 
The HSS thus instructs the S-CSCF with a "Cx- Put-response" 
operation that includes an indication of n Implicit 

15 Authentication confirmed by user" in order to preclude a 
further authentication of the end-user and to avoid 'sending 
authentication vectors for said end-user. In turn, the S-CSCF 
might check as well whether other relevant data respectively 
included in the SIP Register and in the Cx- Put-response, are 

20 coincident with regard to the implicit authentication and 
single sign-on access, relevant data such as authentication 
type, access information like for example IP address and 
contact information, authentication timestamp, or 
combinations thereof, and other significant data to provide 

25 an extra security support. 

[0074] Eventually, after having concluded a w Cx-Pull- 
process" between the S-CSCF and the subscriber server (HSS) , 
the S-CSCF returns back to the user a conventional successful 
result "SIP 200 OK" towards the SIP user-agent at the user's 
30 equipment . 

[0075] A further fourth embodiment under the above second 
scenario is illustrated in Fig. 6 wherein the only difference 
with the previous third embodiment shown in Fig. 5 is that 
the indication of w Implicit Authentication" is returned to 
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the SIP user-agent of the user's equipment in a Short Message 
sent from a Short Message Service Centre (SMSC) as previously 
instructed by the subscriber server (HSS) itself , or by a 
dedicated Multimedia Authentication device, and once the GSM 
5 attach and authentication procedures are over, instead of 
being done during the location updating procedure. For the 
sake of clarity in drawings, the pair of GPRS entities SGSN 
and GGSN in Fig. 5 are replaced with a so-called "GSltf" entity 
in Fig. 6. This indication of "Implicit Authentication", as 

10 for an above embodiment, can also apply to all or specific 
user's identifiers in the Multimedia domain. Once the user's 
equipment is aware of having received this indication of 
"Implicit Authentication", and provided that such implicit 
authentication is found acceptable, the user's equipment 

15 processes the message, and includes an indication of w SS0 
enabled" in a SIP Register message being sent to access the 
Multimedia domain (P-CSCF, I-CSCF) , the indication of x \SSO 
enabled" intended to indicate to the network that the 
Implicit Authentication is accepted by the user's equipment. 

20 From this point on, the signalling flow may be the same as in 
the previous third embodiment. 

[0076] Also in the embodiments under this second scenario 
the end-user is registered in the Multimedia domain without 
those extra periodic authentication processes conventionally 
25 occurring throughout the end-user's Multimedia registration, 
and with a simpler mechanism than the one conventionally 
carried out. 

[0077] A third scenario turns up where a user, accessing 
through a Wireless Local Area Network, has been authenticated 
30 by a UMTS network and is further accessing the Multimedia 
domain through this Wireless Local Area Network (WLAN) . 

[0078] In accordance with a fifth embodiment illustrated in 
Fig. 7 under this third scenario, an end-user is attached and 
authenticated in WLAN by the UMTS network, the end-user, or 
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rather the user's equipment (UE) , has obtained an IP session 
open preferably by using a conventionally so-called secure 
tunnel to the home network- This secure tunnel is preferably 
established between the user's equipment and a Packet Data 
5 Gateway (PD-GW) by encapsulating data from the above IP 
session, generally an IP address, within the encrypted 
message payload, whilst an external IP address not related to 
the IP session is used between the user's equipment (UE) and 
the Packet Data Gateway (PD-GW) . 

10 £0079] At this stage and in like manner as for the first 
embodiment shown in Fig. 3, the signalling flow in Fig. 7 
shows how the end-user and SIP user-agent, namely the user's 
equipment (UE) , gain access to the Multimedia domain by 
sending a SIP Register message from the user side (UE) 

15 towards the Multimedia domain (P-CSCF, I-CSCF) . 

[0080] An Interrogating Call Status Control Function (I- 
CSCF) entity initiates a conventionally called w Cx-Selection- 
Info" procedure towards the Home Subscriber Server (HSS) , 
namely the subscriber server in the Multimedia domain, in 

20 order to identify a Serving Call Status Control Function (S- 
CSCF) currently in charge of the user. Once such S-CSCF is 
identified, the I-CSCF sends a corresponding SIP Register 
message to the S-CSCF. The S-CSCF receiving such registration 
message initiates a conventionally called Cx-Put procedure 

25 towards the Home Subscriber Server (HSS) . 

[0081] Given that the HSS had previously participated in the 
authentication of the user for WLAN access by exchanging a 
user profile and user authentication vectors with a so-called 
"Authentication, Authorisation and Accounting" server 
30 following the 3 GPP standards (hereinafter referred to as AAA- 
3GPP) , as illustrated in Fig. 2, the HSS can use its 
information about the secure tunnel in addition to other 
network topology information to determine the potential 
security of the signalling path for accessing the Multimedia 
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domain through said access network. Thereby, in accordance 
with the invention, the HSS itself, or a dedicated Multimedia 
Authentication device, can decide an Implicit Authentication 
for said user. This decision is advantageously made when the 
5 Packet Data Gateway (PD-GW) belongs to the same home domain 
as the HSS, or in other situations where the PD-GW is 
considered secure and trusted. Moreover, the J feature 
"Implicit Authentication for Multimedia domain" may ^include, 
as in previous embodiments, data provisioning and data 
10 configuration on subscriber basis so that when a user has 
this service provisioned and the user is trusted, the HSS 
itself, or a dedicated Multimedia Authentication device, can 
determine an Implicit Authentication for that user. 

[0082] Therefore, the HSS incorporates an indication of 
15 '"Implicit Authentication" in the w Cx- Put-response" towards 
the S-CSCF. Advantageously and for the sake of security, 
other relevant information may also be sent towards the S- 
CSCF in the "Cx- Put-response message", such as authentication 
type, access information like for example IP address and 
20 contact information, authentication timestamp, and other 
significant data to provide an extra security support. 

[0083] This fifth embodiment in Fig. 7 is aligned with the 
first embodiment in Fig. 3 and both are in accordance with an 
aspect of the invention commented above, where the user may 
25 be notified of an Implicit Authentication proposed by the 
network and intended for the user to accept it or not. 

[0084] Therefore, the S-CSCF sends to the SIP user-agent a 
new SIP message called "SIP 4xx Implicit Authentication" in 
the instant specification so that the SIP user-agent, if 
30 found acceptable, disables internally the explicit Multimedia 
Authentication procedure conventionally carried out. That is, 
the SIP user-agent shall not wait, or expect to receive, 
either an Authentication-Challenge message or authentication 
vectors as described in 3G TS 33.203. 
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[0085] Once the SIP user-agent has accepted the Implicit 
Authentication, it responds to this W SIP 4xx Implicit 
Authentication' 7 message with a new SIP Register message that 
includes an indication of "SSO enabled" intended to indicate 
5 to the network that the Implicit Authentication is accepted. 
The network (P-CSCF, I-CSCF) submits such SIP Register 
message towards the S-CSCF that in turn sends I back a 
successful result "SIP 200 OK" towards the user's equipment 
(UE) . The end-user, having accessed through a WLAN network, 
10 is now registered in the Multimedia domain without those 
extra periodic authentication processes typically occurring 
throughout the end-user's Multimedia registration. 

[0086] The description for "the "fifth embodiment "illustrated 
in Fig. 7 has been matched as much as possible with the one 

15 for the first embodiment shown in Fig. 3. Similarly, the 
teaching from the second embodiment shown in Fig. 4, where 
GPRS is the access network, can be conveniently applicable to 
another embodiment where WLAN is the access network, the 
latter not requiring further explanation in view of the above 

20 embodiments . 

[0087] On the other hand, the above third embodiment, where 
GPRS is the access network, is practically applicable as well 
to another embodiment where WLAN is the access network 
inasmuch as the relevant authentication indications sent to 
25 the user's equipment are included as specific Attribute Value 
Pair (AVP) in the corresponding messages of a RADIUS or 
Diameter protocol used by WLAN access. 

[0088] Eventually, the above fourth embodiment where GPRS is 
the access network is also applicable to another embodiment 
30 where WLAN is the access network assuming a support for Short 
Message Services (SMS) in WLAN, or by using the Circuit 
Switching technology of a GRPS infrastructure for SMS in case 
of having dual terminals as user's equipment. 
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[0089] A fourth scenario turns up where a user has been 
authenticated by a CDMA 2000 network following a Packet Data 
Service attach procedure, and is further accessing a 
Multimedia domain through a Packet Data Service network. Fig. 
5 8 illustrates a sixth embodiment aligned with the one in Fig. 
4 under the first scenario, wherein an Authentication 
Authorization and Accounting server (AAA) acts as siabscriber 
server of a CDMA 2000 network. In this respect and* for the 
sake of clarity, the Authentication Authorization and 
10 Accounting server (AAA) of . the CDMA 2000 network comprises 
all the basic functionality required to allow the access to 
Packet Data Services in a CDMA 2000 network, and all the 
functionality required for acting as a subscriber server in a 
Multimedia domain. 

15 [0090] Nevertheless, provided that the traditionally known 
AAA functionality for access to CDMA 2000 Packet Data 
Services resides in a different entity than the subscriber 
server for the Multimedia domain, an additional interface 
between both entities, namely between a traditional CDMA 2000 

20 AAA and the subscriber server for the Multimedia domain, is 
used to share user authentication data. 

[0091] Apart for these considerations, the above embodiments 
are also applicable to this scenario involving a CDMA 2000 
network assuming that the relevant information may be 
25 transported using extensions to the current RADIUS and 
Diameter interfaces. 

[0092] A still further embodiment is presented under the 
exemplary first scenario above and illustrated in Fig. 9, 
wherein the proposal for an implicit authentication (SSO 
30 Proposal) is actually triggered from the user's equipment 

(UE) itself and without having received a previous invitation 
from the Multimedia domain (IMS) . Thus, the flow sequence in 
Fig. 9 presents an alternative embodiment, to those in Fig. 5 
and 6 wherein the user's equipment (UE) directly submits to 
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the Multimedia domain (IMS) its proposal for an implicit 
authentication (SSO Proposal) , without having received the 
previous invitation with an Update Location Answer message or 
with a Short Message Service (SMS) , and in order to carry out 
5 such implicit authentication between said user's equipment 
and Multimedia domain. 

[0093] This new approach might as well be applied t*o modify 
other above embodiments and independently of the applying 
scenario, 

10 [0094] The invention is described above in respect of 
several embodiments in an illustrative and non-restrictive 
manner. Obviously, modifications and variations of the 
present invention are possible in light of the above 
teachings, and any modification of the embodiments that fall 

15 within the scope of the claims is intended to be included 
therein • 



